Node 17-18 throws SSL error - optional setting?

[Notice-Jeroen-Meijer]

Starting Node 17 an SSL default has changed, having to do with SSL renegotiation. An endpoint I need to use did fail on this leading to an error thrown, already in the discovery fetching the well-known-url.

I seem to have managed to get around this by tweaking request.js adding a default (after line 45)

secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT,

That feels awfully hacky of course. Setting defaults to the node runtime reportedly didn't do the trick, or I simply misunderstood several posts relating to this in the context of https calls; I did not find anything specifically to node-openid.

My question / item for discussion is basically: is there a better way to do this? If not, is it maybe an option to set http(s) options at initialisation?

[Notice-Jeroen-Meijer]

I think I found my answer in the "customizing" doc https://github.com/panva/node-openid-client/blob/main/docs/README.md#customizing.

So in my calling code I would do....

const { custom } = require('openid-client');
const crypto = require('crypto');

custom.setHttpOptionsDefaults({
	secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT
});

This seems much cleaner than hard-coding as in my first post. However, setting securityOptions is not allowed. My only option was to add "securityOptions" to the list of allowable options, again in request.js. Maybe I can suggest to add securityOptions as an allowable setting?

This would IMHO be a non-breaking change. Happy to do a PR if agreeable.